Risky Business

In 2006, Georgia's information technology systems were a borderline mess. No one was a harsher critic than the man in charge of them. "Our business model...

In 2006, Georgia's information technology systems were a borderline mess. No one was a harsher critic than the man in charge of them. "Our business model and our delivery model were not working for our customers," recalls Patrick Moore, then, as now, executive director of the Georgia Technology Authority. By Moore's measure, the overall reliability of IT services was questionable, whether the job was safeguarding massive amounts of data on government retirees or allowing state police to run license plate numbers quickly during traffic stops. "We weren't keeping up with existing technologies or leveraging resources to make enterprise-wide changes," Moore says.

After weighing whether improvements could be made in-house, Moore, Governor Sonny Perdue and other top state officials decided to turn Georgia's IT systems over to a private vendor to operate--employees and all. From data centers and servers to laptops and printers, the system would be better served, they believed, if it was run by a company steeped in private-sector best practices. In 2007, the state began to woo vendors, with a request for proposal that was one of the largest government technology contracts up for bid at the time. There was a deep pool of potential private-sector talent to take on the task. Moore figured at least a dozen well-known vendors were capable of taking over the state's technology infrastructure. "Whether it's IBM, EDS, Northrop Grumman or CSC," he says, "there were a number of providers qualified to do this work."

In other words, the state had all the ingredients for some lively jostling among vendors to nail down the contract. Except the jostling never happened. One by one, competitors dropped out of the running without even submitting bids. In the end, the state identified three teams of contractors that were qualified to handle the work, and only one, led by IBM, formally responded to Georgia's RFP. Last fall, the state signed an eight-year, $873 million contract to turn over IT for 12 state agencies--representing 80 percent of the state's computing infrastructure--to Big Blue, with Dell and Xerox as subcontractors. A related five-year, $346 million contract to manage the state's computer networks and telephones also went to a different sole bidder--a group led by AT&T--after two other qualified vendor teams dropped out.

In signing a pair of sole-source contracts, Georgia breezed right past at least two yellow flags of caution. One had been raised by the governor himself, just after he came to office in 2003. Perdue's predecessor had put out to bid an even larger version of the same outsourcing plan. And that deal, too, had received only one bid. Killing that contract before it was signed was one of the first things Perdue did as governor. As he explained to the Atlanta Journal-Constitution, the deal would have "put us in a sole-source situation that would not be a good long-term deal for the state." The governor said he wanted to inject "more competitiveness" into the process. Apparently, the competitiveness he desired did not materialize.

The second yellow flag was being waved in Texas. At the very moment Georgia was finalizing its deal with IBM, Texas Governor Rick Perry was temporarily suspending his state's own partnership with that company in a substantially similar type of tech outsourcing contract. A computer crash in the state attorney general's office had destroyed hundreds of critical records, and Texas was accusing IBM of failing to back up important data. Most of the media attention focused on a senior state official's tongue-lashing of IBM and the $900,000 the company was docked for the flub. Hardly anybody noted the circumstances that had led up to the contract between Texas and IBM in the first place: Despite the immense size of the deal--$863 million over seven years--only two vendors had bid on the work. (Northrop Grumman was the other.)

Taken together, the cases of Georgia and Texas raise an important question about how governments are contracting for giant technology deals these days. One of the points of the whole

outsourcing exercise is competition: Governments like to be able to play numerous vendors off each other. For one thing, bidding provides confidence that government is getting the best deal possible. It also lends comfort that the bidders are not being asked to do an impossible task--and that if all else fails, other vendors might be out there to help pick up the pieces. "It is always helpful to have multiple bidders in the process," says Linda Mills, president of the information systems group at Northrop Grumman, which dropped its bid for Georgia's work. "The best situation for states is when they can use the market to help them determine the best value through competition."

But one bidder in Georgia and two in Texas isn't really competition, especially for outsourcing deals of this magnitude. What's going on? Are the states scaring away the vendors they need to stir up healthy bidding for their business? "It's always a concern when you have a just a single bidder," says Douglas Richins, formerly head of procurement for the state of Utah and now a consultant to the Western States Contracting Alliance. In sole-source situations, Richins says, states should be wondering, and perhaps investigating, why obvious contenders dropped out of the running. The winning bidder, too, should be more than a bit worried about why nobody else seems to want the work.

For their part, neither Georgia nor IBM appear to be as concerned as Richins is. GTA spokesman Michael Clark says the state didn't investigate why so many other potential vendors backed out, but the fact that they did "doesn't make us nervous at all." Asked whether he wasn't a little worried about being the only vendor willing to bid on the Georgia job, IBM's general manager of strategic outsourcing, Brian Whitfield, insists he has no concerns. "IBM's experience with our clients," he says, "is they recognize the challenges they face, and understand the difficult task of getting from a decentralized, inefficient infrastructure to a consolidated, resilient and efficient environment."

The whole business of large-scale tech contracting is stunningly complicated, but some simple principles still drive the process. For vendors to pursue contracts, they have to be reasonably certain that they're not being set up for a frustrating tail chase, fiscal pain or outright failure. Yet states seem to be getting stingier about what they're willing to pay for these mega-projects. Texas went so far as to put a ceiling on what it would spend. No doubt, public-sector budgeters like the certainty that goes along with a fixed-price, multiple-year contract. But it also represents a fiscal straitjacket that makes some vendors nervous about getting involved.

At the same time, states have been writing RFPs that put the onus for the performance of these gargantuan efforts almost completely on vendors. The Georgia outsourcing master contract is hundreds of pages long, laying out excruciating detail about vendor responsibilities and performance-level demands. In other words, when glitches come up, responsibility almost always falls on the vendor. That, too, seems comforting from government's point of view. From the perspective of most tech companies, however, it's all the reason they need to take a pass. "Our first responsibility is to our shareholders," says a spokesman for one major firm that looked seriously at the Georgia job, only to back away. "We need to make a profit. And we just can't work in states that want us to accept all the risk."

One major outsourcer that sat out the final bidding in both Georgia and Texas was Texas-based EDS. While declining to comment directly on events in any specific state, Frank Chechile, who heads up the EDS state and local practice, says the company needs to be confident it is moving into an operating environment where it can clearly help a state or locality improve its IT performance. But the bottom line, he says, is the bottom line: EDS (which was purchased last year by HP) needs to make money.

One common thread between the Georgia and Texas contracts is that both states used the same consultant, Technology Partners Inc., to help them write their RFPs and work through the details of the contracts with IBM. Don Flores, head of TPI's state and local practice, says his shop is skeptical of bids that appear "too aggressive"--that is, where vendors seem to be low-balling. Flores also says he speaks up when he thinks clients are being unrealistic about costs. "If a government procurement team has never done something like this before, their normal position is going to be to look at the lowest price, and that's not the right answer," Flores says. "As an adviser, we'll push back on that."

Glenn Davidson sees the situation a bit differently. Davidson heads the public-sector practice of EquaTerra, a company that bid unsuccessfully against TPI for the right to serve as negotiator on the Texas and Georgia consulting jobs. He says executives from some of the large IT companies that dropped out of the running in both Georgia and Texas told him flat-out that "they weren't sure they could make their margin." They also complained that Georgia and Texas were imposing so much risk and liability on vendors that they "feared if something went wrong, they couldn't avoid penalties, and that they would be extreme."

That is exactly what happened in Texas. In addition to the $900,000 that IBM had to credit back to the state for failing to back up data, the company has been docked more than $6 million as of the end of February for failures to provide promised services and meet certain deadlines.

Davidson speculates that IBM may have been willing to agree to contract terms in Texas that other vendors wouldn't accept in order to establish a beachhead in the market for other giant outsourcing contracts from state governments. "IBM really got squeezed on pricing, the solution and the time frame," Davidson says. "They were all too aggressive."

But many industry insiders say IBM has been treated unfairly, both by Texas and by the press. While details of how the attorney general's data vanished remain murky, one person who has worked on both the public- and private-sector sides of large-scale IT consolidations says Texas has to share some of the blame.

Lara Coffer, of the Texas Department of Information Resources, acknowledges that there has been a "communication gap" at times between the state and IBM, and that some agencies have resisted being rolled into the outsourcing deal. IBM's Whitfield concedes that surprises were sure to come up in a project the size of the one in Texas. While the company attempted a "wall-to-wall inventory" of the IT assets it was taking control of, it's inevitable that "you find a batch of servers off somewhere that nobody knew were there."

"When you're dealing with a project that's this large and complex," Whitfield continues, "no matter how comprehensive your contract is, it's not going to cover 100 percent of everything." What seemed certain in the wake of the Texas data dump, however, was that IBM was going to have to accept something like 100 percent of everything when it came to the blame.

Every big tech project comes with a certain amount of risk built into it. What varies is how states choose to handle it. Texas and Georgia, which placed virtually all the risk on the vendor, represent one end of a spectrum. On the other end is the approach taken by Michigan and Missouri, which chose to handle their own massive data-center consolidations in-house. By doing the work themselves, those states absorbed total responsibility in the event anything major went wrong. But they also figured they could absorb as possible savings whatever profits a private vendor stood to make on such a deal. "Whether you're insourcing or outsourcing, consolidation involves a huge amount of risk," says Ken Theis, director of the Michigan Department of Information Technology. "And anything that risky ought to offer a good return on investment."

There are other models for how governments can handle contracting risk on big IT jobs. Pennsylvania, for example, broke up its massive IT consolidation into bite-sized phases. That meant that if any one piece of the project blew up, the damage would be contained. Virginia took an approach that is closer to the Georgia and Texas model, but modified in an important way. The state and its contractor, Northrop Grumman, agreed on a fixed annual price, but also agreed to work closely together on trouble-shooting as the job progressed. Aneesh Chopra, Virginia's technology secretary (and President Obama's pick to be the federal chief technology officer), says there are advantages to the way Virginia structured its deal. The state and the vendor share the risks, as well as the rewards--a profit for Northrop Grumman and efficiencies for Virginia. Chopra acknowledges that the partnership has experienced its own bumps along the way. But looking at the Texas situation, he says, "We're in a much healthier place."

Meanwhile, in Texas, IBM is back to work, having served its time-out and paid its penalty. And in Georgia, the rollover of state staff onto the IBM payroll on April 1 went off smoothly. Officials in both states predict that there will be glitches along the way, but say they are confident that those will be worked out.

Ultimately, it's up to each state to decide how much risk it wants to place on its own shoulders--and how much it wants to make vendors accept. But states need to be careful in the way they go about it. As much as technology vendors need governments as customers, governments need choices among vendors, each of which brings varying forms of expertise to the complicated business that increasingly undergirds just about everything governments do.